trufflehog checksum fail

Dave Allured - NOAA Affiliate dave.allured at noaa.gov
Wed Aug 2 13:21:20 UTC 2023 

Please read about checksum failures and when to build from source, in the
Macports FAQ.  I would guess that you experienced either an intermittent
server outage, or a stealth update.  You can self diagnose this by trying a
manual download with curl.  Examine the result file.

Macports is designed to keep users in sync with the latest versions.
Please read about how to use older port versions in the HOWTO section.  In
general, using a down level version is not recommended, especially for a
security tool.  But it is possible.

I would not worry about the golang update.  Either version of trufflehog
will probably work just fine with either version of golang.


On Tue, Aug 1, 2023 at 9:38 PM Frank Cusack via macports-users <
macports-users at lists.macports.org> wrote:

> excuse the long copy paste at the end, but this way you can see exactly
> what happened.
>
> `sudo port install trufflehog` failed with source checksum failures. i
> don't know if the checksums were actually bad or if this is an anomaly when
> fetching the non-latest version. it does mean that i can never install that
> version of trufflehog, which is sad.
>
> anyway i got a hint to update first, so than after `selfupdate` (only! no
> port upgrades!) and another `sudo port install trufflehog` it worked.
>
> BUT it updated my golang!! this reminds me of brew. :( :~(
>
> I guess trufflehog is built from source? and it is hard coded to require
> go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime)
> packages at least not without the Y/n prompt like on other implicit
> upgrades.
>
> I then discovered I merely had to activate the older version. OK, but the
> install/build process should have done this at the end, since I didn't
> request that upgrade.
>
> 1. did the failed version (3.45.3) of trufflehog actually have some error
> with checksum? or is this a macports anomaly.
> 2. do you agree macports has a bug re: forced, non-prompted, build deps
> upgrades?
>
> thanks
>
> [frank at mbp:~]$ sudo port install trufflehog
> Password:
> --->  Computing dependencies for trufflehog
> --->  Fetching archive for trufflehog
> --->  Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from
> https://packages.macports.org/trufflehog
> --->  Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from
> http://mirror.fcix.net/macports/packages/trufflehog
> --->  Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from
> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog
> --->  Fetching distfiles for trufflehog
> --->  Attempting to fetch trufflehog-3.45.3.tar.gz from
> https://distfiles.macports.org/go
> --->  Attempting to fetch trufflehog-3.45.3.tar.gz from
> https://github.com/trufflesecurity/trufflehog/archive/v3.45.3
> --->  Verifying checksums for trufflehog
> Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz
> Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz
> Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz
> Error: Failed to checksum trufflehog: Unable to verify file checksums
> Error: See
> /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log
> for details.
> Error: Follow https://guide.macports.org/#project.tickets if you believe
> there is a bug.
> Error: Processing of port trufflehog failed
> [frank at mbp:~]$ sudo port selfupdate
> --->  Updating MacPorts base sources using rsync
> MacPorts base version 2.8.1 installed,
> MacPorts base version 2.8.1 downloaded.
> --->  Updating the ports tree
> --->  MacPorts base is already the latest version
>
> The ports tree has been updated. To upgrade your installed ports, you
> should run
>   port upgrade outdated
> [frank at mbp:~]$ sudo port install trufflehog
> Portfile changed since last build; discarding previous state.
> --->  Fetching archive for go
> --->  Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from
> https://packages.macports.org/go
> --->  Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from
> http://mirror.fcix.net/macports/packages/go
> --->  Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from
> https://ywg.ca.packages.macports.org/mirror/macports/packages/go
> --->  Fetching distfiles for go
> --->  Attempting to fetch go1.20.7.src.tar.gz from
> https://distfiles.macports.org/go
> --->  Attempting to fetch go1.20.7.darwin-amd64.tar.gz from
> https://distfiles.macports.org/go
> --->  Verifying checksums for go
> --->  Extracting go
> --->  Configuring go
> --->  Building go
> --->  Staging go into destroot
> --->  Installing go @1.20.7_0
> --->  Cleaning go
> --->  Deactivating go @1.20.6_0
> --->  Cleaning go
> --->  Activating go @1.20.7_0
> --->  Cleaning go
> --->  Computing dependencies for trufflehog
> --->  Fetching archive for trufflehog
> --->  Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from
> https://packages.macports.org/trufflehog
> --->  Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from
> http://mirror.fcix.net/macports/packages/trufflehog
> --->  Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from
> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog
> --->  Fetching distfiles for trufflehog
> --->  Attempting to fetch trufflehog-3.46.2.tar.gz from
> https://distfiles.macports.org/go
> --->  Verifying checksums for trufflehog
> --->  Extracting trufflehog
> --->  Configuring trufflehog
> --->  Building trufflehog
> --->  Staging trufflehog into destroot
> --->  Installing trufflehog @3.46.2_0
> --->  Activating trufflehog @3.46.2_0
> --->  Cleaning trufflehog
> --->  Scanning binaries for linking errors
> --->  No broken files found.
> --->  No broken ports found.
> [frank at mbp:~]$ go version
> go version go1.20.7 darwin/amd64
> [frank at mbp:~]$ sudo port activate go @1.20.6_0
> --->  Deactivating go @1.20.7_0
> --->  Cleaning go
> --->  Activating go @1.20.6_0
> --->  Cleaning go
> [frank at mbp:~]$
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20230802/18d0a171/attachment.htm>

More information about the macports-users mailing list